Full Disclosure mailing list archives
[Professional IT Security Providers - Exposed] Cyberklix ( F+ )
From: secreview <secreview () hushmail com>
Date: Thu, 13 Dec 2007 12:23:02 -0800 (PST)
We discovered Cyberklix by searching for "Penetration Testing" on Google, as usual. When we first saw their website we thought that it looked very professional. We were actually under the impression that they might end up being An A- or a B+ company. But, we were wrong and here's why...Over the course of two days and a dozen calls we were unable to contact a human at sales. Every time we tried we were directed to a woman's voice mail. We decided to skip sales and call the Cyberklix Security Operations Center and were successful. We had a wonderful conversation with a very smart person in heir Security Operations Center, and as a result, here is what we learned.The Cyberklix Manged Security Services, with respect to IDS/IPS is nothing special. They are using third party technology and tying it all together with the RSA Envision Engine. Specifically the technologies that they are using are Cisco technologies, McAfee IPS technology, and RSA's Envision engine for correlation. (We would have used ArcSight instead as we think its much better.) Frankly, if we wanted to choose a provider of Managed IDS/IPS services, we'd want to see them using at least some proprietary technologies. How else are they supposed to have a competitive advantage?We also weren't very impressed with their alerting capabilities. When we asked them how they alert people about Events of Interest we were told that they create a ticket in a system. Once the ticket is created then the customer needs to log into the system to evaluate the ticket. We're sure that there's more to it than that, but thats what we were told. Yes the system also has the ability to block or shun attacks, but thats only if it can detect them. We think that we could probably attack a Cyberklix customer and evade detection... wanna challenge us?Anyway, enough on their Managed Security Services. As previously mentioned we were unable to contact anyone in sales. So, our opinion of the Cyberklix Professional Service Capabilities are being forged strictly from their website and information that we can collect from Google and other sources. We'd be happy to update our opinion if someone would provide us with useful information about Cyberklix. So here it is...Cyberklix offers Information Security Consulting, Security Policy Design & Review, Vulnerability Assessment & Remediation, Penetration Testing, Network Security Architecture & Design, Security Audit, Project Management Services, Implementation Services, and Computer Forensics. So, the first thing that struck us as odd was "Project Management Services". What the hell does that mean, right?Upon review of their services we discovered that we could eliminate two of them. We eliminated their Information Security Consulting Service and their Project Management Services. The Consulting service offering isn't actually an offering its just a repeat of the services that they offer, and the Project Management service is not a security service, it is something that should be offered by staffing companies. So... what the hell?When we reviewed the services as presented on the Cyberklix website we realized that they were nothing special, just like their Managed Security Services. In fact, we're willing to bet that their services are what we would call "rubber stamp" services and are based on automation as opposed to true Ethical Hacker talent. We saw no indication anywhere that Cyberklix was following any sort of strong testing methodology like the OSSTMM, etc. and as a result are not impressed at all.All in all our opinion is that Cyberklix services will do little to nothing to raise the proverbial security bar and protect you from real world malicious hackers. They might help you to identify common or known issues but you could do that yourself by downloading nessus. (Oh and you could also create a better IDS/IPS solution by combining OSSEC with Prelude and snort =] for free. ) So, we'd recommend spending your hard earned money with someone else. Sorry Cyberklix...Oh and one last thing. The Cyberklix website is SQL Injectable. So why would anyone hire a company to protect them if they can't even protect themselves? -- Posted By secreview to Professional IT Security Providers - Exposed at 12/12/2007 02:39:00 PM
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Professional IT Security Providers - Exposed] Cyberklix ( F+ ) secreview (Dec 13)